If you play a mobile game built with Unity's engine or using Unity's advertising SDK, Unity may collect your device ID, IP address, and gameplay behavior even though you never signed up for anything with Unity directly.
This analysis describes what Unity's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision affects potentially hundreds of millions of mobile game players who have no direct relationship with Unity but whose data Unity collects and uses for advertising profiling.
Players of Unity-powered games may have their device identifiers, IP addresses, and behavioral data collected and used to build advertising profiles without ever consciously agreeing to Unity's terms, raising questions about the adequacy of indirect consent in this context.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Unity has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect data from end users of games and apps that are built using Unity's technology or that use Unity's services. This includes data collected through our SDKs, such as device information (including advertising identifiers), IP address, gameplay data and interactions, and other usage information. We may combine this data with other information we have about you.— Excerpt from Unity's Unity Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR and UK GDPR, particularly the requirements around legal basis for processing and transparency obligations toward data subjects who have no direct relationship with Unity as controller. The policy cites legitimate interests as a basis for certain processing, which EU supervisory authorities have scrutinized in programmatic advertising and SDK-based tracking contexts. COPPA is also implicated where games accessible to children embed Unity's SDK. The FTC's authority over deceptive data practices is relevant for US-based end users. GOVERNANCE EXPOSURE: High. The collection of personal data from end users via embedded third-party SDKs, relying on legitimate interests or downstream developer consent, is one of the most actively scrutinized areas of EU data protection enforcement. The scale of Unity's SDK deployment amplifies regulatory exposure, and the adequacy of consent or notice provided to end users through the game publisher layer is operationally difficult to verify or guarantee. JURISDICTION FLAGS: EU and EEA users receive the highest protection under GDPR, and legitimate interests assessments for advertising-related processing face a high bar under EDPB guidance. California residents have CCPA and CPRA opt-out rights. Users in jurisdictions with sector-specific mobile privacy regulations (such as Illinois for biometric data if gameplay involves such collection) may have additional protections. COPPA creates heightened exposure where games are accessible to children under 13. CONTRACT AND VENDOR IMPLICATIONS: Game developers and publishers who embed Unity's SDK are likely subject to Unity's developer terms, which may include data processing agreements under GDPR Article 28. Procurement teams at publishing organizations should verify that adequate DPAs are in place, that their own end-user privacy notices disclose Unity's data collection, and that opt-out mechanisms are surfaced to players. COMPLIANCE CONSIDERATIONS: Compliance teams should map all products using Unity's SDK and audit whether end-user privacy disclosures adequately reference Unity's data collection. Legitimate interests assessments covering SDK-based advertising data collection should be reviewed and documented. For EU-facing products, consent management platform configurations should be evaluated to ensure Unity's processing is covered within the IAB TCF consent string or equivalent mechanism.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision affects potentially hundreds of millions of mobile game players who have no direct relationship with Unity but whose data Unity collects and uses for advertising profiling.
Players of Unity-powered games may have their device identifiers, IP addresses, and behavioral data collected and used to build advertising profiles without ever consciously agreeing to Unity's terms, raising questions about the adequacy of indirect consent in this context.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Unity.